cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip Childers <chip.child...@sungard.com>
Subject Re: VNC listen address for KVM
Date Thu, 21 Mar 2013 20:38:04 GMT
On Thu, Mar 21, 2013 at 02:27:48PM -0600, Marcus Sorensen wrote:
> This is breaking 4.1. Should we revert the commit for this release?

Perhaps.  Do you think it's related to CLOUDSTACK-1740 though?  I'd
assume that this is a KVM change being discussed below, but 1740 is for
Xen.  Perhaps it's a common problem?

> 
> On Sat, Jan 5, 2013 at 10:29 AM, John Kinsella <jlk@stratosec.co> wrote:
> > nice, hadn't considered ACLing that at the hypervisor level
> >
> > On Jan 4, 2013, at 12:09 PM, Wido den Hollander <wido@widodh.nl> wrote:
> >
> >> Hi,
> >>
> >> I just noticed that CLOUDSTACK-411 got resolved which is related to CLOUDSTACK-410
> >>
> >> * https://issues.apache.org/jira/browse/CLOUDSTACK-410
> >> * https://issues.apache.org/jira/browse/CLOUDSTACK-411
> >>
> >> Today I made this commit: 7240204a507cce8143c248e6aa635da6dad60ed0
> >>
> >> About 7 months ago I already fixed that the listen address for VNC would be
set to the private IP of the hypervisor so that you don't have to specify vnc_listen in qemu.conf
> >>
> >> With vnc listening on 0.0.0.0 you have a potential security issue since you
need a firewall to prevent the whole world connecting to your VNC.
> >>
> >>    <graphics type='vnc' port='5907' autoport='yes' listen='10.4.0.67'>
> >>      <listen type='address' address='10.4.0.67'/>
> >>    </graphics>
> >>
> >> That's how the XML definition looks like.
> >>
> >> With commit 7240204a507cce8143c248e6aa635da6dad60ed0 this works again, but 30
minutes later I figured out that migrations brake due to this, dôh!
> >>
> >> On the other hypervisor that private IP isn't available for binding, so Qemu
won't start...
> >>
> >> Instead of reverting the commit I'm now working on changing the XML during migration.
libvirt supports this, but libvirt-java doesn't.
> >>
> >> I have a bunch of patches still ready for libvirt-java. Together with those
patches I'll submit this to the libvirt guys next week.
> >>
> >> The method in libvirt-java will be:
> >>
> >> migrate(Connect dconn, long flags, String dxml, String dname, String uri, long
bandwidth)
> >>
> >> dxml: (optional) XML config for launching guest on target
> >>
> >> In LibvirtComputingResource I'll generate a new XML with the private IP of the
new hypervisor and pass that on to the migrate method.
> >>
> >> For the 4.1 release libvirt-java 0.5.0 should be out and this should then work.
> >>
> >> No more need for setting vnc_listen in qemu.conf and no potential security leak
of having VNC listening world-wide (assuming your hypervisor has a public IP).
> >>
> >> Just wanted to let you know what I'm working on.
> >>
> >> Wido
> >>
> >
> > Stratosec - Secure Infrastructure as a Service
> > o: 415.315.9385
> > @johnlkinsella
> >
> 

Mime
View raw message